fail2ban's actions are in /etc/fail2ban/action.d/
filters are in /etc/fail2ban/filter.d/
You seem to be missing the filter for [recidive]
Have you looked at: https://www.dghost.com/techno/internet/the-power-of-fail2ban
[recidive] enabled = true filter = recidive logpath =
Post your jail config section for [recidive] and your 'iptables-allports'
action.
Is XX.XX.XX.XX in
2017-11-16 07:59:07,449 fail2ban.actions [641]: NOTICE [recidive] Ban
XX.XX.XX.XX
an obfuscated public IP address?
Why are your log file entries out of order?
Bill
On 11/26/2017 8:54